suricata
decode-erspan.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * Decodes ERSPAN Types I and II
31  */
32 
33 #include "suricata-common.h"
34 #include "suricata.h"
35 #include "decode.h"
36 #include "decode-events.h"
37 #include "decode-erspan.h"
38 
39 #include "util-validate.h"
40 #include "util-unittest.h"
41 #include "util-debug.h"
42 #include "conf.h"
43 
44 /**
45  * \brief Functions to decode ERSPAN Type I and II packets
46  */
47 
48 /*
49  * \brief ERSPAN Type I was configurable in 5.0.x but is no longer configurable.
50  *
51  * Issue a warning if a configuration setting is found.
52  */
53 void DecodeERSPANConfig(void)
54 {
55  int enabled = 0;
56  if (SCConfGetBool("decoder.erspan.typeI.enabled", &enabled) == 1) {
57  SCLogWarning("ERSPAN Type I is no longer configurable and it is always"
58  " enabled; ignoring configuration setting.");
59  }
60 }
61 
62 /**
63  * \brief ERSPAN Type I
64  */
65 int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
66  const uint8_t *pkt, uint32_t len)
67 {
68  StatsIncr(tv, dtv->counter_erspan);
69 
70  return DecodeEthernet(tv, dtv, p, pkt, len);
71 }
72 
73 /**
74  * \brief ERSPAN Type II
75  */
76 int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
77 {
78  DEBUG_VALIDATE_BUG_ON(pkt == NULL);
79 
80  StatsIncr(tv, dtv->counter_erspan);
81 
82  if (len < sizeof(ErspanHdr)) {
83  ENGINE_SET_EVENT(p,ERSPAN_HEADER_TOO_SMALL);
84  return TM_ECODE_FAILED;
85  }
86  if (!PacketIncreaseCheckLayers(p)) {
87  return TM_ECODE_FAILED;
88  }
89 
90  const ErspanHdr *ehdr = (const ErspanHdr *)pkt;
91  uint16_t version = SCNtohs(ehdr->ver_vlan) >> 12;
92  uint16_t vlan_id = SCNtohs(ehdr->ver_vlan) & 0x0fff;
93 
94  SCLogDebug("ERSPAN: version %u vlan %u", version, vlan_id);
95 
96  /* only v1 is tested at this time */
97  if (version != 1) {
98  ENGINE_SET_EVENT(p,ERSPAN_UNSUPPORTED_VERSION);
99  return TM_ECODE_FAILED;
100  }
101 
102  if (vlan_id > 0) {
103  if (p->vlan_idx > VLAN_MAX_LAYER_IDX) {
104  ENGINE_SET_EVENT(p,ERSPAN_TOO_MANY_VLAN_LAYERS);
105  return TM_ECODE_FAILED;
106  }
107  p->vlan_id[p->vlan_idx] = vlan_id;
108  p->vlan_idx++;
109  }
110 
111  return DecodeEthernet(tv, dtv, p, pkt + sizeof(ErspanHdr), len - sizeof(ErspanHdr));
112 }
113 
114 /**
115  * @}
116  */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:1186
len
uint8_t len
Definition: app-layer-dnp3.h:2
ERSPAN_HEADER_TOO_SMALL
@ ERSPAN_HEADER_TOO_SMALL
Definition: decode-events.h:209
decode-erspan.h
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
DecodeERSPAN
int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type II.
Definition: decode-erspan.c:76
DecodeERSPANConfig
void DecodeERSPANConfig(void)
Functions to decode ERSPAN Type I and II packets.
Definition: decode-erspan.c:53
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:529
DecodeThreadVars_::counter_erspan
uint16_t counter_erspan
Definition: decode.h:1014
SCConfGetBool
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:497
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
util-unittest.h
decode.h
util-debug.h
DecodeERSPANTypeI
int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type I.
Definition: decode-erspan.c:65
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:255
Packet_
Definition: decode.h:501
conf.h
decode-events.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:431
suricata-common.h
version
uint8_t version
Definition: decode-gre.h:1
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:963
VLAN_MAX_LAYER_IDX
#define VLAN_MAX_LAYER_IDX
Definition: decode-vlan.h:52
suricata.h
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:528
ERSPAN_UNSUPPORTED_VERSION
@ ERSPAN_UNSUPPORTED_VERSION
Definition: decode-events.h:210
ERSPAN_TOO_MANY_VLAN_LAYERS
@ ERSPAN_TOO_MANY_VLAN_LAYERS
Definition: decode-events.h:211
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42